Make a Lasting Impression

Join the Mailing List

Who's Online

23 user(s) are online (18 user(s) are browsing Support Forums)

Members: 0
Guests: 23

more...
ImpressCMS proudly uses SourceForge
ImpressCMS on Ohloh.net





LinkedIn Passwords Leaked
Home away from home
Joined:
2007/12/4 9:00
From Derbyshire/UK
Posts: 2076
http://www.bbc.co.uk/news/technology-18338956

Quote:

Social networking website LinkedIn is investigating claims that over six million of its users' passwords have been leaked onto the internet.

Hackers posted a file containing encrypted passwords onto a Russian web forum.

They have invited the hacking community to help with decryption.

LinkedIn, which has over 150 million users, has not released a formal statement, but tweeted: "Our team is currently looking into reports."

Later, it added: "Our team continues to investigate, but at this time we are still unable to confirm that any security breach has taken place."

Security researcher Graham Cluley told the BBC he believed the breach was genuine.

"We've confirmed there are LinkedIn passwords in the data.

"We did this by searching through the data for (hashed) passwords that we at Sophos use only on LinkedIn. We found those passwords in the data. We also saw that hundreds of the passwords contain the word 'Linkedin'.

"Our advice is to change your LinkedIn password. And if you use the same password on other accounts, change it there too."


it turns out they used sha1 hashing with no salt keys.

& this is exactly why I am AGAINST using these single login & other authentication systems such as facebook, Oauth, LinkedIn, Twitter & so on.

the truth is you don't know how secure they are, & time & again, these so called secure systems have been exploited & people discovered their hashing was not as secure as everyone thought. DO NOT COMPROMISE SECURITY FOR THE SAKE OF USER CONVENIENCE!!!!!!!!!!

Posted on: 2012/6/6 18:40
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Transfer the post to other applications Transfer


Re: LinkedIn Passwords Leaked
Home away from home
Joined:
2007/12/4 9:00
Posts: 1132
I suggest we seriously consider adding password stretching to ICMS. It's trivial to implement as it just involves rehashing the password hash a large number of times.

Basically it just increases the amount of work required to calculate the password hash, greatly slowing down offline attacks to the point where they becomes painful or infeasible to do.

Posted on: 2012/6/7 3:02
Transfer the post to other applications Transfer


Re: LinkedIn Passwords Leaked
Home away from home
Joined:
2007/12/4 9:00
From Derbyshire/UK
Posts: 2076
well that's definitely on the cards, I already have a better method of securing passwords utilising existing method with improvements, 1 of those is using stretching. I know of 1 flaw in the system we use (though i'm the only 1 who is aware of that, I will share that info with trusted devs providing we use either OTR encryption on MSN or use GNUPgP encryption on emails).

the biggest job is implementing it & being able to do the pass expiry. But i've already figured out a way of doing that.

Posted on: 2012/6/7 21:16
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Transfer the post to other applications Transfer


Re: LinkedIn Passwords Leaked
Home away from home
Joined:
2009/3/3 4:18
From Belgium
Posts: 1752
When relying on a third party for some data, there's the risk you have to evaluate whether that party can be trusted with the type of data you share with it. Unfortunately, it's not because you are a big site that your procedures and developments are the best. That's what happened here with Linkedin, a major flaw in their security.

We won't be able to stop users from using that kind of services to login (Twitter, Facebook, OpenID, heck, even LDAP if it's on a hosted server somewhere else), but we can make sure that the services WE provide are the most secure possible.

It's clear that any idea around raising security even higher than we already have, will be looked at with big interest. Not only by the team, but also by current and potential users. I'm interested to see what you come up with Vaughan

Posted on: 2012/6/7 22:14
_________________
ImpressCMS.TV - Video Tutorials
d-log - My personal site

Me on Ohloh
Transfer the post to other applications Transfer


Re: LinkedIn Passwords Leaked
Home away from home
Joined:
2007/12/4 9:00
From /home/日本
Posts: 1768
The next story is last.fm with more than 2,5 millions accounts, all with unsalted MD5 hashes ==> OMG !!!

Posted on: 2012/6/8 2:43
Transfer the post to other applications Transfer


Re: LinkedIn Passwords Leaked
Home away from home
Joined:
2007/12/4 9:00
Posts: 4112
If you have an account on LinkedIn, you can check if your password was leaked/cracked - http://shiflett.org/blog/2012/jun/leakedin

If you haven't changed your password yet, I'd recommend changing it before checking to see if it's on the list. I trust the site link above - Chris Shiflett is a well-known and trusted PHP developer and blogger on security issues.

How do we respond to this, as a community-focused system? There are 3 parts to all of this - authentication, authorization, and cryptography - and we need to address them all.

Authentication: establish identity
Authorization: grant privileges
Cryptography: encrypting, hashing and hiding sensitive data for transmission and storage

Logging into a website uses all 3.

@madfish has explained some of the principles of this in the documentation for the Yubikey module - the basics of authentication are in knowing or having something unique. 1-factor authentication only requires one or the other. 2-factor authentication requires both.

The sites that were recently hacked failed because they had poor cryptography. 2-factor authentication would have reduced their risk dramatically, as would better general programming.

In all of this, we have not talked about policy - another major factor in the security of any system. Recommended read - http://www.schneier.com/blog/archives/2010/11/changing_passwo.html It talks mostly about password rotation, but covers some good points about having passwords appropriate for the content they protect.

Posted on: 2012/6/8 3:31
_________________
Steve
Twitter: @skenow
Facebook: Steve Kenow
Transfer the post to other applications Transfer






You can view topic.
You cannot start a new topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You cannot post without approval.

[Advanced Search]